We all dodged a bullet

Posted by WhyNotHugo 4 days ago

Related: NPM debug and chalk packages compromised - https://news.ycombinator.com/item?id=45169657

822 points | 483 commentspage 3

nottorp 3 days ago|

> With that in mind, at a glance the idea of changing your two-factor auth credentials "for security reasons" isn't completely unreasonable.

No?

How do you change your 2FA? Buy a new phone? A new Yubikey?

croemer 3 days ago|

For TOTP it's as simple as scanning a new QR code.

I agree that rotating 2FA should ring alarm bells as an unusual request. But that requires thinking.

kumavis 3 days ago||

> all the malware did was modify the destination addresses of cryptocurrency payments mediated via online wallets like MetaMask

A clarification: Despite MetaMask depending on the compromised packages it was not directly affected because: 1) packages were not updated while the compromise was live 2) MetaMask uses LavaMoat for install-time and run-time protections against compromised packages

However the payload did attempt to compromise other pages that interact with wallets like MetaMask.

Disclaimer: I worked on LavaMoat

LavaMoat: https://github.com/lavamoat/lavamoat

leviathant 3 days ago||

I don't know what series of events transpired that resulted in common, slightly irregular use of the word "kindly" by scammers, but I'm glad it happened. Immediate red flag, every time.

padjo 3 days ago||

“A utility function that determines if its argument can be used like an array”

I see the JavaScript ecosystem hasn’t changed since leftpad then.

dmitrygr 3 days ago|

My man, it has...in the worse direction...

bob1029 3 days ago||

"Batteries included" ecosystems are the ultimate defense against the dark arts. Your F100 first party vendor might get it wrong every now and then, but they have so much more to lose than a random 3rd party asshole who decides to deploy malicious packages.

The worst thing I can recall from the enterprisey ecosystems is the log4j exploit, which was easily one of the most attended to security problems I am aware of. Every single beacon was lit for that one. It seems like when an NPM package goes bad, it can take a really long time before someone starts to smell it.

brushfoot 3 days ago||

Agreed; the rich standard library from Microsoft is one of the many things I appreciate about C#.

The article's author seems to be under the misapprehension that standard libraries should or have to be community-driven like Node's and that falling for phishing attacks is inevitable over a long enough period of time. Neither notion is accurate.

ameliaquining 3 days ago|||

Log4Shell didn't light up all the beacons because Java is "enterprisey", it was because it was probably the worst security vulnerability in history; not only was the package extremely widely used, the vulnerability existed for nearly a decade and was straightforwardly wormable, so basically everybody running Java code anywhere had to make sure to update and check that they hadn't been compromised. Which is just a big project requiring an all-out response, since it's hard to know where you might have something running. By contrast, this set of backdoors only existed for a few hours, and the scope of the vulnerability is well-understood, so most developers can be pretty sure they weren't impacted and will have quite reasonably forgotten about it by next week. It's getting attention because it's a cautionary tale, not because it's causing a substantial amount of real damage.

I do think it's worth reducing the number of points of failure in an ecosystem, but relying entirely on a single library that's at risk of stagnating due to eternal backcompat obligations is not the way; see the standard complaints about Python's "dead batteries". The Debian or Stackage model seems like it could be a good one to follow, assuming the existence of funding to do it.

SahAssar 3 days ago|||

Heartbleed? Solarwinds? Spectre/Meltdown? Stuxnet? Eternal Blue? CVE-2008-0166 (debian predictable private keys)?

dghlsakjg 3 days ago||

Solarwinds?

mdavid626 3 days ago||

How would any normal person know that npmjs.help is phising, but npmjs.com is valid?

DecoySalamander 3 days ago||

It wasn't a "normal person" it was a developer that put this into a README of his package

> But beyond the technical aspects, there's something more critical: trust and long-term maintenance. I have been active in open source for over a decade, and I'm committed to keeping Chalk maintained. Smaller packages might seem appealing now, but there's no guarantee they will be around for the long term, or that they won't become malicious over time.

I expect him to know better.

mdavid626 3 days ago||

Does this mean you verify EVERY domain you use? How to even do that?

Shouldn’t this be solved some other ways?

DecoySalamander 3 days ago||

I do it by reading domain name and comparing it to what I expect it to be. It's not hard and when in doubt I can easily check WHOIS info or search online for references.

This is also easily avaidable by using password manager which will not autofill credentials on a page with a wrong domain.

Edit: And yes, I do this for every link emailed to me that does anythig more high stakes than point me to a newsletter article.

mdavid626 3 days ago||

I think it’s unreasonable to expect that people will do this. Most people have no idea what domain is, they won’t be able to check WHOIS records.

creesch 3 days ago||

To state the obvious, one ends with "help" on with "com". It effectively is phishing awareness 101 that domains need to match.

You still don't know then of course. When in doubt you shouldn't do the action that is asked through clicking on links in the mail. Instead go to the domain you know to be legit and execute the action there.

Having said all that, even the most aware people are only human. So it is always possible to overlook a detail like that.

giveita 3 days ago||

Corollary: dont click on any emails links. (Most use some dumb domain name that could be phishing)

mdavid626 3 days ago||

There are many sites, which provide ONLY links, eg. with token in URL. What with those?

giveita 2 days ago||

This is the problem. Those need to be very carefully clicked.

The whole web is a darn mess! I have no ideas for solutions.

zaik 3 days ago||

We need a permission system for packages just like with Android apps. The text coloring package suddenly needs a file access permission for the new version? Seems strange.

danenania 3 days ago|

Deno has taken steps in this direction. It’s probably doable for pure js packages, but nearly impossible for packages with native extensions.

dirkc 3 days ago||

I had a minor scare some time ago with npm. Can't remember the exact details, something like I had a broken symlink in my homedir and nodemon printed an error about the symlink! My first thought was it's a supply chain attack looking for credentials!

Since then I've done all my dev in an isolated environment like a docker container. I know it's possible to escape the container, but at least that raises the bar to a level I'm comfortable with.

PaulHoule 3 days ago||

This has so many dimensions.

An authentication environment which has gotten so complex we expect to be harassed by messages say "your Plex password might be compromised", "your 2FA is all fucked up", etc.

And the crypto thing. Xe's sanguine about the impact, I mean, it just the web3 degens [1] that are victimized, good innocent decent people like us aren't hurt. From the viewpoint of the attacker it is all about the Benjamins and the question is: "does an attack like this make enough money to justify the effort?" If the answer is yes than we'll see more attacks like this.

There are just all of these things that contribute to the bad environment: the urgent emails from services you barely use, the web3 degens, etc.

[1] if it's an insult it is one the web3 community slings https://www.webopedia.com/crypto/learn/degen-meaning/

1970-01-01 3 days ago|

At this super-wide level of near-miss, you must assume Jia Tan 3.0 will be coming for your supply chains.

More comments...